Patch Analysis for February 2011

Many of the updates released this month address vulnerabilities in the heart of the OS, affecting key components. A glance at Microsoft’s exploitability index chart indicates that we can expect consistent code likely in the near future. Six of these have already been publicly disclosed.

MS11-003 is a cumulative update addressing 4 vulnerabilities with Internet Explorer, two of which are publicly disclosed. Of those one is being exploited. IIS Servers and Workstations running the FTP service running Vista or later are primarily at risk with the vulnerability addressed in MS11-004. A restart of domain controllers is required to implement MS11-005. Administrators of Server 2003 Domain Controllers will want to plan for this to minimize disruptions. Microsoft indicates that consistent code is unlikely for this vulnerability. MS11-008 addresses two privately reported vulnerabilities in Visio 2002, 2003 and 2007. MS11-010 and MS11-011 both address vulnerabilities that could cause a privilege elevation. These involve basic components of the operating system and so require a restart. In addition, kernel mode drivers can wreak havoc and cause a system to crash. MS11-012 deals with 5 vulnerabilities and a restart is also required for this. To exploit any of these vulnerabilities a use must be able to log on locally or via Terminal Services. MS11-013 addresses 2 vulnerabilities. One of these is not exploitable if the domain is on Server 2008. This first vulnerability has been publicly disclosed. Also a Kerberos Spoofing vulnerability exists on Server 2008 R2 that could weaken Kerberos encryption making it easier to crack. To exploit the vulnerability in MS11-014 a user must be logged on locally.

Bulletin

Exploit Types/Technologies Affected

System Types Affected

Exploit details public? / Being exploited?

Comprehensive, practical workaround available?

MS severity rating

Products Affected

Notes

Randy's recommendation

MS11-011

2393802

Privilege elevation

/ Windows

Workstations Terminal Servers

Yes/No

No

Important

XP Vista Server 2003 Server 2008 Server 2008 R2 Windows 7

Restart Req'd

Patch after testing

MS11-008

2451879

Arbitrary code

/ Office Visio

Workstations Terminal Servers

No/No

Yes

Important

Visio 2003 Visio 2002 Visio 2007

Patch after testing

MS11-009

2475792

Information disclosure

/ JScript and VBScript Scripting Engine

Workstations Terminal Servers

No/No

No

Important

Server 2008 R2 Windows 7

Patch after testing

MS11-010

2476687

Privilege elevation

/ Windows

Workstations

No/No

No

Important

XP Server 2003

Restart Req'd

Patch after testing

MS11-005

2478953

Denial of service

/ Active Directory

Domain Controllers

Yes/No

No

Important

Server 2003

Patch after testing

MS11-014

2478960

Privilege elevation

/ Windows

Workstations Terminal Servers

No/No

No

Important

XP Server 2003

Restart Req'd

Patch after testing

MS11-012

2479628

Privilege elevation

/ Windows kernel mode drivers

Workstations Terminal Servers

No/No

No

Important

XP Vista Server 2003 Server 2008 Server 2008 R2 Windows 7

Restart Req'd

Patch after testing

MS11-003

2482017

Arbitrary code

/ Internet Explorer

Workstations Terminal Servers

Yes/Yes

No

Critical

XP Vista Server 2003 Server 2008 Server 2008 R2 Windows 7

Cumulative Update; Restart Req'd

Patch after testing

MS11-006

2483185

Arbitrary code

/ Windows Shell

Workstations Terminal Servers

Yes/No

Yes

Critical

XP Vista Server 2003 Server 2008

Restart Req'd; proof of concept code published

Patch after testing

MS11-007

2485376

Arbitrary code

/ OpenType CFF

Workstations Terminal Servers

No/No

No

Critical

XP Vista Server 2003 Server 2008 Server 2008 R2 Windows 7

Restart Req'd

Patch after testing

MS11-004

2489256

Arbitrary code

/ IIS

Workstations IIS Servers

Yes/No

Yes

Important

Vista Server 2008 Server 2008 R2 Windows 7

Patch after testing

MS11-013

2496930

Privilege elevation

/ Kerberos

Workstations Terminal Servers Servers

Yes/No

No

Important

XP Win2003 Windows 7 Win2008 R2

Restart Req'd

Patch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime.

"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"

"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."